[PATCH net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START

[PATCH net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START

[David Carlier]

ISO data PDUs carry a packet-boundary flag indicating START, CONT, END
or SINGLE. The ISO_CONT branch of iso_recv() guards against a missing
ISO_START by checking conn->rx_len before touching conn->rx_skb, but
ISO_END does not.

If a peer sends an ISO_END as the first packet on a fresh ISO
connection, conn->rx_skb is still NULL and conn->rx_len is zero, so
skb_put(conn->rx_skb, ...) dereferences NULL and oopses. For BIS,
where receivers sync to a broadcaster without pairing, any broadcaster
on the air can trigger this.

Mirror the ISO_CONT check at the top of ISO_END so a stray end fragment
is logged and dropped instead of crashing the host.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 net/bluetooth/iso.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7cb2864fe872..b971281f0a2b 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -2593,6 +2593,11 @@ int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags)
 		break;
 
 	case ISO_END:
+		if (!conn->rx_len) {
+			BT_ERR("Unexpected end frame (len %d)", skb->len);
+			goto drop;
+		}
+
 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
 					  skb->len);
 		conn->rx_len -= skb->len;
-- 
2.53.0

RE: [net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1095152

---Test result---

Test Summary:
CheckPatch                    PASS      0.73 seconds
GitLint                       PASS      0.37 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      26.92 seconds
CheckAllWarning               PASS      29.66 seconds
CheckSparse                   PASS      28.48 seconds
BuildKernel32                 PASS      26.26 seconds
TestRunnerSetup               PASS      577.08 seconds
TestRunner_iso-tester         PASS      597.41 seconds
IncrementalBuild              PASS      26.05 seconds



https://github.com/bluez/bluetooth-next/pull/194

---
Regards,
Linux Bluetooth

Re: [PATCH net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri, 15 May 2026 07:25:25 +0100 you wrote:
> ISO data PDUs carry a packet-boundary flag indicating START, CONT, END
> or SINGLE. The ISO_CONT branch of iso_recv() guards against a missing
> ISO_START by checking conn->rx_len before touching conn->rx_skb, but
> ISO_END does not.
> 
> If a peer sends an ISO_END as the first packet on a fresh ISO
> connection, conn->rx_skb is still NULL and conn->rx_len is zero, so
> skb_put(conn->rx_skb, ...) dereferences NULL and oopses. For BIS,
> where receivers sync to a broadcaster without pairing, any broadcaster
> on the air can trigger this.
> 
> [...]

Here is the summary with links:
  - [net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
    https://git.kernel.org/bluetooth/bluetooth-next/c/6aba94a49bc9

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html